Skip to Content
Author's profile photo Jorge Sousa

How to prevent: simple user can discover the password for SAP BO BI connections

Exist a simple way to recover a password from a SAP BO BI Relational Connection with few code lines when you forgot or when you need to see if all security rules in your security baseline are working as expected and nobody can discover database connection passwords used for SAP BO BI reports with a simple logon and a simple application. Also you can test with your non-administrator username to see if you can see the password.

The code is based in SAP BO SDK  Java or .NET and in the test done was passing some parameters: CMS System, Username, Password, Kind of Authentication and CUID of the connection.


1. Main Source Code

I adapt and change from the original code used in my connector “SBOPRepositoryExplorer” to explore CMS repository using a simple universe in real time (How to explore SAP BusinessObjects BI CMS Repository) and I did a test to check the vulnerability. By SAP Copyright policies I’m not allow to publish the content.

2. Create a simple user in CMC associated to group everyone

Create in CMC a simple user without any other group than everyone:

CMC1.png

CMC2.png

3. Create a simple connection from some database


For example in IDT create a simple relational connection to test.

IDT.png

In our example username is “userOracleTst” and password “simplePassword123.”.


4. Test from command line

“C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sapjvm\bin\java.exe” -jar “D:\app\Tools\ConnectionProperties.jar”  BO4Server tstuser simplePassword123. secEnterprise Ace8qbWCgDlFvUmUYlHxuHs

Where ConnectionProperties.jar is a compiled application to check the content of the connection.


BO4Server is the CMS server.

tstUser is the usermane.

simplePassword123. is the password.

secEnterprise is the authentication method used.

Ace8qbWCgDlFvUmUYlHxuHs is the CUID of the connection created.

/wp-content/uploads/2014/05/result_656432.png

5. Workaround

It can be a little bit dangerous that anyone with a simple username in BO can discover our DB password connection. This right has been introduced in BI 4.0 SP3 to secure the connection parameters –typically username, pwd, servername– that were downloaded for Web Intelligence offline. Indeed, Web Intelligence offline needs to keep a copy of the connection (username, pwd, servername…) in order to access the DB without being connected to the CMS. To address the danger of this approach, it is possible to deny the right in the CMC via the option “Download connection locally”.

If the right “Download connection locally” is granted, you can use WebI offline, but  cnx parameters can be downloaded.

If the right “Download connection locally” is denied, all sensitive cnx parameters remain on the CMS and thus WebI cannot be used offline anymore. As the cnx parameters remain on the CMS, then all DB access are performed server side.

For more information see p. 845 in the Business Intelligence Platform Administrator Guide

6.Check your connection’s security

If you need to check if your SAP BO BI platform is well configured with SAP BO BI Connections, then you can use the free option of the SBOPRepositoryExplorer tool.

Jorge Sousa

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jorge Sousa
      Jorge Sousa
      Blog Post Author

      Hi Ludek,

      Thanks for the commentaries.

      Author's profile photo Andy Silvey
      Andy Silvey

      Hi Jorge,

      the blog is presenting a major security vulnerability, this reminds me of the Invoker Servlet security vulnerability in the Portal.

      To confirm, you are saying:

      1) If a SAP Customer wants offline access to WebI

           then

                they must grant the right DownloadConnectionLocally

           in_which_case

                the security vulnerability of downloading connection parameters is opened up

      2) If the right “Download connection locally” is denied,

           then

                all sensitive connection parameters remain on the CMS

                     and

                WebI cannot be used offline anymore.

           this_is_because

                the connection parameters remain on the CMS, then all DB access are performed           server side

      Is there an alternative to setting up offline WebI access without granting rights to DownloadConnectionLocally ?

      Thanks and best regards,

      Andy.

      Author's profile photo Jorge Sousa
      Jorge Sousa
      Blog Post Author

      Hi Andy,

      IMHO there is no other way with the options that we have available actually in BO. The other way is providing a patch having the same behavior than BEx connections (connection credentials are encrypted) and then it is not necessary.

      We only can use WRC in offline mode but without the option to refresh data with "DownloadConnectionLocally" denied.

      Thanks again and best regards,

      Jorge Sousa

      Author's profile photo Problem Solver
      Problem Solver

      Where can I find this ConnectionProperties.Jar file? I couldnt find it any where on my installation.